Pricing Customers

Secure and Reliable Billing Software

A winning combination of enterprise-grade security to protect your customers and proven reliability to keep your recurring billing running smoothly.

PCI DSS Level 1 Compliant

Chargify is annually audited to maintain the highest level of PCI compliance for a service handling sensitive payment data. With billing information flowing through Chargify, you can comply with industry-standard security practices without the time and resources required to maintain such standings. Our number one goal is to protect you and your customers.

Download Chargify’s compliance validation

Image of Sample Credit Card of Chargify.com Chargify is the Number One SaaS B2B Billing Solution

SOC 1 Type II Report

Service Organization Controls (SOC) exist to validate a company’s controls and ensure industry standards are followed. Our SOC 1 report was prepared in accordance with the Statement on Standards for Attestation Engagements No. 16 (a.k.a SSAE 16) and documents operational policies and procedures for Chargify’s system of internal controls.

Two-Factor Authentication

As a security best practice, we require secure passwords for all Chargify users. As an additional layer of protection, we provide the ability to enable two-factor authentication. When enabled, internal team members must enter an authentication token from their mobile device prior to gaining access to the Chargify interface.

Image of Two Factor Authentication With Password on Chargify Site the #1 SaaS B2B Billing Solutions Website

Image of Access Controls Window on Chargify Site the #1 SaaS B2B Billing Solutions Website

Fine-Grained User Access Controls

Your teams play important roles in running your subscription business, but not every team member needs full access to Chargify’s interface. Customer support needs to access and manage subscription information, finance needs to view and export financial metrics, etc. Our access controls allow you define what users can see and do within your Chargify account.

Reliability You Can Count On

Data Redundancy

Our software runs in three datacenters across the US. On a daily basis, we export the database and store it in an offsite facility for extra redundancy.

24/7 Monitoring

Extensive performance and availability monitoring allows us to keep a close eye on system health and mitigate unforeseen issues early on.

99.99% Uptime

Uptime is as mission critical to us as it is to your business. Our trailing three-year uptime record is 99.99%, and we’re fanatical about maintaining that record.View our uptime report.

Hacker Tested

We regularly submit ourselves to hacking by the best "good-guy" hackers in the business. This practice ensures we remain the most reliable, secure system in the industry.

PGP Key

We provide a PGP key to encrypt sensitive communication that you send to us.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQINBFv+9yoBEADNtJWF+QHJuWLIENYiA2QZIxvVhFk877xrkH1MkFUh1n4aJXuj
/AdCoJIUut907rdvYYbCp3ouvFkzszyudHwKI5lfbsDvZXV0yLlt7trA3yaVdSB0
NqXXqwfuvtJ2lt+7+Dzpnqe4jdiB7mSFLOXn/3gJ1wIZREUQlyi7ID9RwpyJd8fG
YDIjDMBBbSwC245syfmOgrR8dN0j9rBBodCoCrWvEJHFRwdqduVaFbrAQh8TVTDe
2s/0V6n2STEWJrvu5uTUo5qwb1cd1Ll25/P20sP57L1T8SrbaZ4i3LayfJR7H0K5
4XcuXcSqdhlRyti7gwR33I3YJuPruZsN1VO/8u7QgSO7IuNVI8o+94YuHQmQw2mb
8S5ug0BOkUkRca5CdtW5MFo84Ep8EAPhrS8/1OZnG0MWXiXp/BwX1UAiUyRkah3B
Uw75laGJa4cOrJbTsNMV7i2TRxVg5GDp2XUEonwKtY1ird7f3Mi1cTKCttJazApI
s0nf4VlMuoJcq5PdzUETJSR15VXPc0e60/43EdQ04fQryCWs3gNah5h6PPdVNe/C
WCy1nXRe89OEPfKHfg3ACEZDHfENMvR+FjimGsNKu6wquHIDNkWTCet83EbHmBnS
rC9B8qkAupk9HBYpZDkefBs3xm0zwW4wCMpS/lbt/y/I7FWljMIWFjhSpwARAQAB
tClDaGFyZ2lmeSBTZWN1cml0eSA8c2VjdXJpdHlAY2hhcmdpZnkuY29tPokCVAQT
AQgAPhYhBHIwo8w4s+zSI6v8tPn0m6Hu9ohOBQJb/vcqAhsDBQkB4TOABQsJCAcC
BhUKCQgLAgQWAgMBAh4BAheAAAoJEPn0m6Hu9ohOgpcP/3H9ZHRrPazk7u6QrS/F
BOdQb7Xeinw48vN4AvbMc9+6ZmVwgpNZAnmNDOp281Cy3HmSJHur+u6qOFLE7zzU
ukmkU1xRr0VZDn/zC/POGEceUI1wUylsjRIu0gA7kJ7vifC2k8y1t9EATM/8z3hI
md5ymIjdUSO90IuyChiJMDtOBivTaqtnDU8Y+X8MtgsHFuJLN98mIZD9goqpXmZT
9mb/OYsPlU5SOaDQRLGJhL2UG3QKeH66W1ogZbI/rxZ7tlLXV3F5HBmntB8KMVmW
ecaBFwSVs5/lGeGGQE6VrWqBuhptbYuLgP6lu3gZz55V75z6cubrUVwgHoUYQzA6
/gPS8Ja6hN4dwEGvoCh/T5Jer7Rh8rZqNXURVUqa+GTpLKlGdEDBtOxGr38EJgCu
vImoRJ3AUzJTYYUBMghyjn9rYtNFpBy9mXK3oKKM+KsF2SRyRpqlVevsN/XtsV9/
cJGclISPaI2KTXDY5YPXXWXOLTSrT/FLHjYm4jK4SHiM65GdsJOAPbWiuOwOTtZJ
tYd4GjxNdNYWa7DThu+2tLUydk5zNWTgcULkx24yokKBHw9Mb0J1fvUK2TEY9Hlc
YOPUj0hIfu4N4Yx7mkOaSkfzZQqPCQful1dosawE9AOMbCyviUnMTCQFSYhCQ85M
ByXXfdkC5JYhCm7PWDeL3R0vuQINBFv+9yoBEADsFAXRJUoJq2Z8FhntNZZPajhj
qprN19deCftRhopP6adABVxBbFHYtLx1aWqG7lNN1HoJnNWN8740uNcWOhZWE7Lm
XNyFuTNnLK2MAOjACi+uu7Cqf/7pkWhdRDzQCNp4m9IfYnxe6A76zQfnSI/vCXoZ
x3IesqfraKp9IPF9M6wTBy4E/nGHmDICbyljhWJs8HEjlbSTmsBR4QWtpPc1oJIM
fa5F9N05CrVfOQZCyiAcqTV/Cy+pYdQNoWvTdGJmoG86zWijmQuoHEbSUMbvh5Vi
2nrDGSBX9meXEqrj/DkLHPF0F0boaeTCw+baEGDyUdV/3LYTMlWtXwtzZQNq/9+w
a7tZJJlt904sPw1W59Wyi+ihDUl8jo1kB7/ZKncqcbpKA6WZYCkJXAvybMLu49C/
jCS9KdNN6ImWGi4jJwAP1Tsjykr1xDwOCZibWY3ns7xyQlr+uVTC3nbktgooDyQk
DaszqC6irO4OOfkkotrFzn3NvZGdbKRVmc/WRcnnlIRCgVF3Y7PoSJnLCD8+D7Bs
ertT2X2Yw+u//nfZ11lQ2ZhkP+ZGQGb5AGOJg9IoRcha/5NjG4GzoItfLUImBZpz
ieHGtuo85O42sbfGWEoh4nmACiavAjdpV+EqPJBit+glMOhYgmtECI2EOG15KQfE
KcFh53j9CsDIvlvDRQARAQABiQI8BBgBCAAmFiEEcjCjzDiz7NIjq/y0+fSboe72
iE4FAlv+9yoCGwwFCQHhM4AACgkQ+fSboe72iE6HsxAAysikpB+F0WtkC60rV7wg
ZQZC9yTBHWTzNlJFOzJRqc7dWx+oNBC+cZ8cp1agQD5xtVep2p6L25+PZBK+CxIA
rZ3COyDGyOlv8aj3juFzgXvtN4YhRGKa5FL9pa7Ynt0heSAjnHorHg/wb7LLWzE6
H/9i6xyeQ8ZyVhay7j8k/tYMLg0nAjXxNKyhwy3EQ8G3ouWWNNfBqyQwyrwgxAMY
nWM7hObajIB6E60QDlHRpXH3EXrFb/EQIiBApMpsNd3guGmL+vfTgKVTztOA3o+g
KiO3PSziFqDA/ZhwIpo6prGCj0ocPaY9vhnvw+htLs4vcIPYLblNWGdjgdJAa5eO
oX2S46+dkWq1u3NnIcV+Bn+j7+UJOC8VHPC1c/h5krCyPXJxgHwMIaZs4J0XH55g
c+fP03dQewSgkyfgLWEk+3GDfsMivkRFjwLJscYp6HDcZ3ek6kTBk4UbqsnACkea
He9vpXvihrNPqLYROsp6mMsLWsmj3hBcD5ZrgQVikyLuCi/vI1eEOVoDEP/KiD2f
Z/UgbJJaTdQq09g+OhtaM4Iz549ItLUeMzUCqFDnlsyzMChOya1JsnHl8CstgzZd
YAegO38vKBk8lWlTAzGuuoNizkLdNityGz4LpIeF7FcjdtDaMjif/NSV12LSEUwt
rSJpn+Pc8LUqocy23oSBxcuZAg0EXfEnUQEQAKOuD4PGhDUd3RD1bdv6eyVjiup9
A0keT9/6/ekNeiurOuK8NACFizjfH+0tXLCdRE0R8jMP929ncouARJSGxl3LU2wk
Hc0p/DN46pawEWpbpffNr2LeOP/GFUZs5yIlJHg9a5FHCUaHogUoQSb3aNVBr0xl
sflt9jxU7Za6yEbuDOkvXSJNMxP1X8WeyDNrh6kLbS2kHKASsWzxm7fVn9SicNoQ
0NeArNKqg/5tsOQIayn6raqQTsroyacdv/2nza6mQAbD24Zw9FcsxBQlEYjo/TgR
URw2nHrRCUS7q0NTIbQDJFLPj0WdN1QIoq5lR7DFO+ZiF/AnGzZVrPDM2cceZWLO
nWB2RbXBPqxDvKpPzDRhJTexxYtnTPMbHf8w/0WbX0Hj4MktPtj4Y1liSWYQ/Sj5
W7gu+9QB4HutmEboFaW39zWmKD5B9KM3fIKKL+/Om+U+ENumCbbMqap9KgpuFGwi
2uO6AcovpHHpS21vfC0KxAwuKpf+YP7uVLun7bESOKQ6HJz9AHFHIR75aDehl9Qr
p09x96UpB9F9+TWiM65y2LyNJeYYGUAilecBDOPyFoLqoEmrePz4udbJwt/qrrhH
LGhHv3biUH/kHqpJfEu5DkiW40DlV9hdfbRGq+l1HkCe6MkhBYigWlPDq7FWFoy6
/7W0hefgpv449LkjABEBAAG0KUNoYXJnaWZ5IFNlY3VyaXR5IDxzZWN1cml0eUBj
aGFyZ2lmeS5jb20+iQJUBBMBCAA+FiEEfDJn5wdXeD7w72f+7Y2SC9XSNh8FAl3x
J1ECGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ7Y2SC9XSNh8x
9A//X2uEK17psMTaahfB+x3sfebU/WKfI/eYTTDRQuaWH5c7MJK86cSSRrMBSOQ8
UP9lBDGSidRDDcdo2dqpzFzYH9niyjiUEWBQYMEkpYdhMvGAxQdS7LYPkUZMT3HY
EliwY5JhzINPruAD6NCN201ECUzA0N0tYZVj2SOF+jP6/yiNKSZE3Aajt90Bx6ve
IzOlT1YWKmyOFp/9UlwB5kOmSvIagJfOAfEJZgJZzo8OFUNSRn/OrQvhyS75VgrF
j+lPx2BUR+oTbFzT/WX1+xTL3mh+BM6nl+1adynegvldQjwxO6ZUwRYNWaW64pZz
NU7h0MRzLecNbu7Ykl2g2T+vOcXWw2jjVVl+O3eJ20Sefl+f17jOGjLZNon8ThuQ
TdTq56oW5fa1vpLcxYoAyNKqCRmqIJ/lcAM2dSV0UREG9V25HTJbUU5oOF72P+wc
KSW4Ury0yaYVYd2oTCd92mcOEkSr0r3sa/Z8VdOg++sv6p1aRHFkIu8GcV+W9h3E
xTko+kM0m9t0pIP6N7zQmbf/6uDjZcmmgTwOKKCCIdvLGyZTnNUCHzF3rLHqyISW
QN/ditho/f1RIjCTmM2WOL7UowaLf5v6+JKTx7WzeFJPgMAb0LacwpQ8rTaVKQqa
x8YyXW22eu2fsb/xP+2kQ4Im7EFgu6w09s7bYA9bOLNIcby5Ag0EXfEnUQEQAJ20
W85rNO66ZNqXFVkEec59J8SOG5Ml4rYA4XfIiNC7veNfOheg+4bNCNTt+f5cRLTR
JKR+OnmHBaghHX/lvsaC2oxdBwIwB5OGs9XAX5fNI+SbVtaSEYfGENoAJuSy2/+X
AAslangEaxdY4t+pj2aSaB3jXUMwrWCfbhe2a976Ux4Ys1Ywpc3U/jkC64CKDrKl
F8ImOs1g04REtkDXTvAgnzfskO83N0u5cbDaWHJLbGxbr6FxDq54VJeMwgKPUayO
GNNRQJYGo8P6xPRJgKqQ7JhJpkiMV/uMCpoEkovSBRGSG3POVDFzMfQWVl55iG4h
7L+uXHUlXJ63Im8bL/4eEvPqY/yIV8VSBdrtQclqjo1KyWT5KgbvpdgNLHQBDd/R
IV64zzPjzNH7osIKk5kDUGf9/sefM5gsdw4XJa/h+8BEs7dNlmMtlPNH+EEGt2nZ
ITotkAbjSgjHivAVrBhDZEo0WQcKZmwcv/n/ixQN5xY1K2ayIU3ksE04QraUPQfW
iWG5aIPMWhP8IsRs1Ot/mHfWQUA6oh3ADq7R0dxK7zjx32OJRjsRYpqjzc2978Yk
Xth6VQnlINslOZve8xHtqXp9LhqSkpMvd95TDISPcES+bRC945y8KGo3C+o4wfAq
fSDNyMY/vz7qTJWiqaGwMkUzPFJnK5eHLcZHx0yPABEBAAGJAjwEGAEIACYWIQR8
MmfnB1d4PvDvZ/7tjZIL1dI2HwUCXfEnUQIbDAUJAeEzgAAKCRDtjZIL1dI2Hzlm
D/45xbpQX4Z+k4WLtu6tAPG5wlctVXzTXn81I3BQKnJG+fkXefbgrO9e+LOpZvFY
YTcnCKQKd5GG7bB8SOcw4BIBVxCo64CO5XOH2ymg6MD0wB3WMfdCH/jS9SFt2IyF
5C6UoV9/jE819YjxlmsW3oJbQ3QYrLC8L9dpZpdnuBqSN49hKRrgkXkAYksNCLUf
PJSRkMBHkc5wdiIHv8+qDaAwR1tcJcF6+ca4OytkTrny+QQwd5TqnSa3hLtULbuG
XbPUgwqtyEp0JTklwl36ckUHepIbTIQmMpSOpBLYm9Up8dN347v3+yIZ9C3p69ta
6BI7ZsedvoNlSZ1ca2RvBZrkGiu/rD4hy+zD1OJmSCdQWANTCV2qyIjou7OnB+1O
HEppPsB9m44Lf4WDCUo76aCWm5FBqPmYl1yD0s8nv2oxrQnN44PI+IxmnVArpc84
GZsodOS/+KU8Yspv1plpr3Cafur3sH3R2Un/Fo74zm2f5sow+7+PnzZQBUXnh+ym
BsxsJWQnNqoUwBolpbrMFrE+FSHgSqZWgcOI610nhs7Mw9EWvWB+1Ulatok/yrtC
bkOYysD42Gac9d2QFBU+SBahzYzdNrIuVrtt0QjFwlHZ0RJFnnLF0pf+X+CMpxOs
T8FwbzKHyvAjGT4kxJG5L8uOe7YjP9esgi7JrivfetkxuJkCDQRf65wSARAA+aWK
7sAWw62FLAdVtQZmK9mtWcFC7p0jbUT2nWjYUuGcT69RhhPB+0jPprO3P3tVl0OH
7agf+Tny3uEtLEv7FR6a+r5fnPnq+w9zOScZcYeiNG3OAushQp3dWyRIqfGQuNR3
lqDS3K8tMhqXJ8Fb06lSGz1P5hQv8tyiBkobkr4oVz+yY/AqzD6qcusHvSK526Ml
p+/bk1tavtBBxEKlYiGnIqm5BgFc3hUtu7hyz2MNGW39//EYOANNFCnDALV8NlF+
+cemEW6aqQs4Kn2Mf1e/tVLqfC6pNiSpH28dtSGbP84Zjsg5M94ZbTnDkcROWd9j
BIgjTax0sQ0TpI8ciZQ/dQCmBGvCXc1FC92GnB1d/a51/7deWo3wJoHiq5/+RbPA
3fJO9V42aDDLTEf/eGPybTMoem7Me5aEpp9GMBsSG5N54kr4IF+gBXiA9K7ygUC0
DgLdVP+ApFgNzpGbbNFarZQ2j4hToo4yht9Wf8Jke4+OcI/vxAWbKIOorkGYGWwg
1Nw88l+Q/kwEyU0id/NmeNuEE0KE1sQ+SeiCKuIxuCQVw0egqsD6iL3mTpblbR9u
K4G51fPDKwCuAwYVN2iw6ZSEDRDiJ5nq9N1t9/EnIUyX6u/JBrRwJPhSy8PM1QQW
b9pDYHg6XJ35DZ5jZ+0lfwKB9OhIZnZjHjq4Si0AEQEAAbQpQ2hhcmdpZnkgU2Vj
dXJpdHkgPHNlY3VyaXR5QGNoYXJnaWZ5LmNvbT6JAj4EEwECACgFAl/rnBICGwMF
CQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEBhAoAsPlovNXloQALFr
JNR7ht1r6wPY7J6rLQzi6cWcn/tiIvKxYE9MTUIafZsb89USuFOMsMrl34GNQLk3
LQrH4KPIkNmSSp8YHeO/PrfljO+gmZ1cLY7RvBIVSk4TcuQ1bMJPp6LV8bCfXy90
keLdxc9Fa/sBEGzd8ubQdQncI1aENc+7DSeH7y5aQ9rOAqZDGUq8cfflsy2AvDHy
DmlCUjinaOEUFEF9romxsGE5pTbIJiJzfCoTchEWRi/3Ddpzmx/Tws5lvhE4sw4D
pFDtrDSOZIUrATmWIk7miaKBZ/YYi7sfnMeZgVlBApK0fRpwMAW1iJka+OsL7aqY
142Hak/BXlIepB9H8YC+4BA8P85W/wvYYcaOJ1195PfEUAZAErpf5X1l+llS09xY
8qtXB9g7cHxW342CsxDpekmUbuaKC5fooj4NHgX7eP2L3Kna0RmsaWE40wzWXs1j
fGjx9gQQl/SoO9lkz1u2pnj44MN/JgDJbxOZqalVU62p79PafWXL9OlTWJvYPK1w
m0Bbmyu7DZVNYda8wiEqUXAPCvDno21aisnPx2jud0bv/GvYjuJPO4l8DxGPwH4X
LHY5q0K3Nn7NK5UOaiU+1Z1mvHhpbBOMEZXwk5IAHMAU8CI0C3vryQ/D5qJII3KJ
sEJ6legi6mywKGwtLRHNaeob5Wu+ZuBHXYiFazKjuQINBF/rnBIBEACucDfIspUi
608Z3kfi154F+2VDYjeJV0dkxFmdBmKCaZI2oes7kjSBvU8RQeQ69viJq5dXCcGN
LO3YCyZNsXFwq46NPkl7fsRF3HcGEHMFWDZBUwbTH+OV9zgLfdUHkkhJK+qAEEir
Dt7AvA53Hp+R4omnaZiMzbx5kTv+1jaubHxGLlh6cM+H1WHWuL1fkJY9LE4shsZX
xjVZR0PfU+rk3QPjcsBRV4fgu7CmxAoytPApP3gMOZUfc8gi38rPrwZ2y77qlwk/
ZIX9OktljwKKTGaPp3GYVc79MzyUtIKl/vWHhkHEPrIF07yudXFn4qPPLITDMNYF
qA6roz2Yym7ChhFTnEfA7nRsJCexMBIbVk5wvFUTd1dnN4eTFY8KBjLrkzonFtfi
gM+b6c1oWoOfcxsUpxCZJfjn/7uwWz5mts5FoZatgXJpmcvDHFYuGg7F6UZKjVEC
OAhJs93bVRNsllxD9+mEy/kJiroYaTg8GtLV/wdFiKdz5hKk6lB6MnQ1EAL+1DKK
aHmrzPFmxka26b3YqmBooDEPuFNbnh0E95y9V49/qEogqfBokFMmFIvAW/sXnbSe
IJeC92ITsrVLxmZg/vPJuLwfVnyxcRZywRNbtQr6ZzyWCumh/hs1Ck1IF3DsHMHU
ZTROl9YzgdMPlbnqy3g6RDNIkG8+zWLQ8QARAQABiQIlBBgBAgAPBQJf65wSAhsM
BQkB4TOAAAoJEBhAoAsPlovNYZwP/2scBkw7EvQ7EK7fBKIClD99mLnj4BhE2Nwo
O7w8JiX3AlfdCp59TDxgQEa+R2nx8PFLVlIqIo7fBFELG1FW45ZlDluIzOqAYv19
knknDYl2/YdFI0ZJXQsobqnD9rRyOIWtEE/1djT2/03uaFoYlJSkvepONcsULjad
IjoG/eFDZVCItrktYnXJbOzG+OvOIR/FWMQes4aT+rJF1DVklaG8k95qyRqT4Lvc
X/ivWFdd5IxqHa4skAHJ3KIbmRNgDaEOwcvMTzHYDVG1k0hjGQuaFU9WXIXXc9gy
l8R7HbO/34JcdbVjP66Yy76i2lcD4soiteXR01ifBfw17Tow8o8UAAHefOblB2I1
hZ6Rl6HzRiIbWeRuUt5CzBzeGs8j5yeLQQohHAq7McvFxx3VVCJ7cOF+kVYqX0QM
q35N8eHiWyMDPSusmiuubv9gmga23udVdic/etJd4/CwOdTXlS57H9kR9+/btuvQ
1FxX60lkhyDT6yN8Dqm9KgUpdrcTXS0wsTa/E56/ziWZkwSPWH+5ZK13MFugd8K+
CDU1gnFkxjw1r67cn9C6MTKUAlvuEh7cQ1ptUpIm+HBIreUGQfolHw/f2nz56Qkv
e3bz1XHA62ToTZ63Yr0hgNFCxMC2OV8zOBJYLeKDmphfLx6RAQcF/wMrhFKkF7Xr
NiH6G8e0
=2eYT
-----END PGP PUBLIC KEY BLOCK-----

Key ID:

0F968BCD

Key type:

RSA

Key size:

4096

User ID:

Chargify Security (security@chargify.com)

Fingerprint:

32C6 77BA EDCF CD57 10B5 372D 1840 A00B 0F96 8BCD

Expires:

2021-12-29

Help Us Keep Chargify Secure

We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.

If you believe you have discovered a potential flaw in any area of Chargify's security measures, we ask that you please share the information with us first and retain secrecy of your findings until we have remediated the issue.

If you have identified a vulnerability, report it via email to security@chargify.com

View Rules

We ask that you follow these rules for any responsible use of our system:

You may create a test account with the following limits: TWO accounts each with no more than TWO sites and TWO users.
Not in scope: Any ancillary sites not directly hosted by Chargify (such as reference.chargify.com, status.chargify.com, help.chargify.com. Zendesk, Tumblr, etc)
All data object creation is limited to a maximum of 50 objects per type
No automated off-the-shelf scanners (like Acunetix or the Burp Suite Scanner). We’ve had these run hundreds of times already
Scripted / API tests must be rate limited to 1 request per second
Absolutely NO attacks or exploits against accounts not created by you. You may only attempt cross-account access between two accounts controlled by YOU
No DOS/DDOS tests
Absolutely no physical testing such as office access (e.g. open doors, tailgaiting).
Absolutely no social engineering (e.g. phishing, vishing).

We ask that you please do not submit low value issues when there are only loose connections to known best practices, unless you can demonstrate a chained attack with higher impact. Google maintains an exhaustive list with explanations. This also includes things like:

Invalid SPF policy and e-mail spoofing issues
Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
CSRF on forms that are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure and HTTPOnly cookie flags.
Lack of Security Speedbump when leaving the site.
Weak Captcha / Captcha Bypass
Username enumeration via Login Page error message
Username enumeration via Forgot Password error message
Login or Forgot Password page brute force and account lockout not enforced.
OPTIONS / TRACE HTTP method enabled
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy not enabled
SSL Insecure cipher suites
The Anti-MIME-Sniffing header X-Content-Type-Options
Missing HTTP security headers